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Abstract 

The prime number theorem, estabhshed by Hadamard and de la Vallee 
Poussin independently in 1896, asserts that the density of primes in the 
positive integers is asymptotic to l/\nx. Whereas their proofs made 
serious use of the methods of complex analysis, elementary proofs were 
provided by Selberg and Erdos in 1948. We describe a formally verified 
version of Selberg's proof, obtained using the Isabelle proof assistant. 

1 Introduction 

For each positive integer x, let tt(x) denote the number of primes less than or 
equal to x. The prime number theorem asserts that the density of primes ■k{x)/x 
in the positive integers is asymptotic to 1/ In a;, i.e. that limj^^oo it{x) h\x/x = 1. 
This was conjectured by Gauss and Legendre around the turn of the nineteenth 
century, and posed a challenge to the mathematical community for almost a 
hundred years, until Hadamard and de la Vallee Poussin proved it independently 
in 1896. 

On September 6, 2004, the first author of this article verified the following 
statement, using the Isabelle proof assistant: 

CAx. pi X * In (real x) / (real x)) > 1 

The system thereby confirmed that the prime number theorem is a consequence 
of the axioms of higher-order logic, together with an axiom asserting the exis- 
tence of an infinite set. 

One reason the formalization is interesting is simply that it is a landmark, 
showing that today's proof assistants have achieved a level of usability that 
makes it possible to formalize substantial theorems of mathematics. Similar 
achievements in the past year include George Gonthier's verification of the four 
color theorem using Coq, and Thomas Hales's verification of the Jordan curve 

*To appear in ACM Transcations on Computational Logic. Work by the first author has 
been supported by NSF grant DMS-0401042. 
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theorem using HOL-light (see the introduction to Wiedijk ^Hl)- As contem- 
porary mathematical proofs become increasingly complex, the need for formal 
verification becomes pressing. Formal verification can also help guarantee cor- 
rectness when, as is becoming increasingly common, proofs rely on computa- 
tions that are too long to check by hand. Hales's ambitious Flyspeck project 
|1(J|. which aims for a fully verified form of his proof of the Kepler conjecture, 
is a response to both of these concerns. Here, we will provide some information 
as to the time and effort that went into our formalization, which should help 
gauge the feasibility of such verification efforts. 

More interesting, of course, are the lessons that can be learned. This, how- 
ever, puts us on less certain terrain. Our efforts certainly provide some indica- 
tions as to how to improve libraries and systems for verifying mathematics, but 
the data still need to be processed and better understood. Here, therefore, we 
simply offer some initial thoughts and observations. 

The outline of this paper is as follows. In Sectional we provide some back- 
ground on the prime number theorem and the Isabelle proof assistant. In Sec- 
tion 13 we provide an overview of Selberg's proof, our formalization, and the 
effort involved. In Sectional we discuss some interesting aspects of the formal- 
ization; the use of asymptotic reasoning; calculations with real numbers; casts 
between natural numbers, integers, and real numbers; combinatorial reasoning 
in number theory; and the use of elementary methods. Finally, in Section |S1 we 
offer some brief conclusions. 

Our formalization of the prime number theorem was a collaborative effort on 
the part of Avigad, Donnelly, Gray, and Raff, building, of course, on the efforts 
of the entire Isabelle development team. This article was, however, written by 
Avigad, so opinions and speculation contained herein should be attributed to 
him. 

2 Background 

2.1 The prime number theorem 

The statement of the prime number theorem was conjectured by both Gauss 
and Legendre, on the basis of computation, around the turn of the nineteenth 
century. In a pair of papers published in 1851 and 1852, Chebyshev made 
significant advances towards proving it. Note that we can write 



where p ranges over the prime numbers. Contrary to our notation above, x 
is usually treated as a real variable, making tt a step function on the reals. 
Chebyshev defined, in addition, the functions 



TT 



p<.x 
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and 

p^- <x 'n<x 

where 

. , f In n if n = , for some a > 1 
[0 otherwise. 

The functions and are more sensitive to the presence of primes than tt, 
and have nicer analytic properties. Chebyshev showed that the prime number 
theorem is equivalent to the assertion lima;^oo — 1, as well as to the 

assertion lima;^oo ^{x)/x — 1. He also provided bounds 

B < Tr{x) Inx/x < 6B/5 

for sufficiently large a;, where 

B = In 2/2 + In 3/3 + In 5/5 -In 30/30 > 0.92 

and 6B/5 < 1.11. So, as x approaches infinity, TT{x)\nx/x, at worst, oscillates 
between these two values. 

In a landmark work of 1859, Riemann introduced the complex-valued func- 
tion C into the study of number theory. It was not until 1894, however, that 
von Mangoldt provided an expression for -0 that reduced the prime number the- 
orem, essentially, to showing that ^ has no roots with real part equal to 1. This 
last step was achieved by Hadamard and de la Vallee Poussin, independently, in 
1896. The resulting proofs make strong use of the theory of complex functions. 
In 1921, Hardy expressed strong doubts as to whether a proof of the theorem 
was possible which did not depend, fundamentally, on these ideas. In 1948, 
however, Selberg and Erdos found elementary proofs based on a "symmetry 
formula" due to Selberg. (The nature of the interactions between Selberg and 
Erdos at the time and the infiuence of ideas is a subtle one, and was the source 
of tensions between the two for years to come.) Since the libraries we had to 
work with had only a minimal theory of the complex numbers and a limited real 
analysis library, we chose to formalize the Selberg proof. 

There are a number of good introductions to analytic number theory (for 
example, [Tlll2|'). Edwards's Riemann's zeta function (9| is an excellent source of 
both historical and mathematical information. A number of textbooks present 
Selberg's proof, including those by Nathanson ITU, Shapiro jni> and Hardy and 
Wright ^J. We followed Shapiro's excellent presentation quite closely, though 
we made good use of Nathanson's book as well. 

We also had help from another source. Cornaros and Dimitracopoulos |H] 
have shown that the prime number theorem is provable in a weak fragment of 
arithmetic, by showing how to formalize Selberg's proof (based on Shapiro's 
presentation) in that fragment.^ Their concerns were different from ours: by 
relying on a formalization of higher-order logic, we were allowing ourselves a 

^For issues relating to the formalization of mathematics, and number theory in particular, 
in weak theories of arithmetic, see Avigad 
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logically stronger theory; on the other hand, Cornaros and Dimitracopoulos 
were concerned solely with axiomatic provability and not ease of formalization. 
Their work was, however, quite helpful in stripping the proof down to its bare 
essentials. Also, since our libraries did not have a good theory of integration, 
we had to take some care to avoid the mild uses of analysis in the textbook 
presentations. Cornaros and Dimitracopoulos's work was again often helpful in 
that respect. 

2.2 Isabelle 

Isabelle [SC] is a generic proof assistant developed under the direction of Larry 
Paulson at Cambridge University and Tobias Nipkow at TU Munich. The HOL 
instantiation '15' provides a formal framework that is a conservative extension 
of Church's simple type theory with an infinite type (from which the natural 
numbers are constructed), extensionality, and the axiom of choice. Specifically, 
HOL extends ordinary type theory with set types, and a schema for polymorphic 
axiomatic type classes designed by Nipkow and implemented by Marcus Wenzel 
[T7] . It also includes a definite description operator ( "THE" ) , and an indefinite 
description operator ("SOME").^ 

Isabelle offers good automated support, including a term simplifier, an au- 
tomated reasoner (which combines tableau search with rewriting) , and decision 
procedures for linear and Presburger arithmetic. It is an LCF-style theorem 
prover, which is to say, correctness is guaranteed by the use of a small number 
of constructors, in an underlying typed programming language, to build proofs. 
Using the Proof General interface ^Tj, one can construct proofs interactively 
by repeatedly applying "tactics" that reduce a current subgoal to simpler ones. 
But Isabelle also allows one to take advantage of a higher-level proof language, 
called Isar, implemented by Wenzel TH^. These two styles of interaction can, fur- 
thermore, be combined within a proof. We found Isar to be extremely helpful in 
structuring complex proofs, whereas we typically resorted to tactic-application 
for filling in low-level inferences. Occasionally, we also made mild use of Is- 
abelle's support for locales |7j. For more information on Isabelle, one should 
consult the tutorial ^S] and other online documentation |2(J) . 

Our formalization made use of the basic HOL library, as well as those parts 
of the HOL-Complex library, developed primarily by Jacques Fleuriot, that deal 
with the real numbers. Some of our earlier definitions, lemmas, and theorems 
made their way into the 2004 release of Isabelle, in which the formalization 

■^The extension by set types is mild, since they are easily interpretable in terms of predicate 
types (T — > bool. Similarly, the definite description operator can be eliminated, at least in 
principle, using Russell's well-known interpretation. It is the indefinite description operator, 
essentially a version of Hilbert's epsilon operator, that gives rise to the axiom of choice. 
Though we occasionally used the indefinite description operator for convenience, these uses 
could easily be replaced by the definition description operator, and it is likely that uses of the 
axiom of choice can be dispensed with in the libraries as well. In any event, it is a folklore 
result that Godel's methods transfer to higher-order logic to show that the axiom of choice is 
a conservative extension for a fragment the includes the prime number theorem. 
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described here took place. Some additional theorems in our basic libraries will 
be part of the 2005 release. 

3 Overview 

3.1 The Selberg proof 

The prime number theorem describes the asymptotic behavior of a function 
from the natural numbers to the reals. Analytic number theory works by ex- 
tending the domain of such functions to the real numbers, and then providing 
a toolbox for reasoning about such functions. One is typically concerned with 
rough characterizations of a function's rate of growth; thus / = 0{g) expresses 
the fact that for some constant C, \f{x)\ < C\g{x)\ for every x. (Sometimes, 
when writing / = 0(g), one really means that the inequality holds except for 
some initial values of x, where 5 is or one of the functions is undefined; or 
that the inequality holds when x is large enough.) 

For example, all of the following identities can be obtained using elementary 
calculus: 

ln(l + 1/n) = l/n + 0{l/n^) 
J2^/n^lnx + 0{l) 

n<x 

In n = x\nx — X 0(ln x) 

n<.x 

In n/n = In^ x/2 + 0(1) 

In all of these, n ranges over positive integers. The last three inequalities hold 
whether one takes x to be an integer or a real number greater than or equal to 
1. The second identity reflects the fact that the integral of 1 /a; is In a;, and the 
third reflects the fact that the integral of In x is a; In a; — A list of identities 
like these form one part of the requisite background to the Selberg proof. 

Some of Chebyshev's results form another part. Rate-of-growth comparisons 
between 9, ■0, and n sufRcient to show the equivalence of the various statements 
of the prime number theorem can be obtained by fairly direct calculations. 
Obtaining any of the upper bounds equivalent to 'il'{x) = 0{x) requires more 
work. A nice way of doing this, using binomial coefflcients, can be found in 
Nathanson [Tl] . 

Number theory depends crucially on having different ways of counting things, 
and rudimentary combinatorial methods form a third prerequisite to the Selberg 
proof. For example, consider the set of (positive) divisors d of a positive natural 
number n. Since the function d n/d is a permutation of that set, we have 
the following identity: 

J2f{d) = J2f{n/d). 

d\n d\n 
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For a more complicated example, suppose n is a positive integer, and consider 
the set of pairs d, d' of positive integers such that dd! < n. There are two ways 
to enumerate these pairs: for each value of d between 1 and n, we can enumerate 
all the values d' such that d' < n/d; or for each product c less than n, we can 
enumerate all pairs c?, c/d whose product is c. Thus we have 

d<n d'<n/d 



A similar argument yields 

E E fM 

d\n d'\{n/d) 



Yet another important combinatorial identity is given by the partial summation 
formula, which, in one formulation, is as follows: if a < 6, F{n) = X]r=i /(Oi 
and G is any function, then 

b 

^ f{n + l)G(n + 1) = F{h + l)G{h + 1) - F{a)G{a + 1)- 

n—a 

6-1 

^ F{n + l)(G(n + 2) - G{n + 1)). 

n—a 

This can be viewed as a discrete analogue of integration by parts, and can be 
verified by induction. 

An important use of ((SJ occurs in the proof of the Mobius inversion formula, 
which wc now describe. A positive natural number n is said to be square free 
if no prime in its factorization occurs with multiplicity greater than 1; in other 
words, n — piP2 ■ ■ ■ Ps where the p^'s are distinct primes (and s may be 0). 
Euler's function fi is defined by 




(— 1)* if n is squarefree and s is as above 
otherwise. 



A remarkably useful fact regarding /i is that for n > 0, 
^^mC*^) \ Q otherwise. 

d\n ^ 

To see this, define the radical of a number n, denoted rad(n), to be the greatest 
squarefree number dividing n. It is not hard to see that if n has prime fac- 
torization p{^P2^ • • - pi", then rad{n) is given by piP2 • • 'Ps- Then X](i[n/^(^) ~ 



E /(^'^') 

dd' <.n 

5] 5] /(d, c/d). 

c<n d\c 



(1) 



= E/(^'^') 



dd'\ 



c|n d\c 



(2) 
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'^d\rad{n) t^i'^) ^ sincc divisors of n that are not divisors of rad{n) are not square- 
free and hence contribute to the sum. If n = 1, equation Q is clear. Other- 
wise, write rad{n) = piP2 ■ ■ - Ps, write 

d\rad(n) d\rad(n),p-i\d d\rad{n),pi^d 

and note that each term in the first sum is canceled by a corresponding one in 
the second. 

Now, suppose g is any function from N to M, and define / by f{n) = 
'^d\n dW- '^^^ Mobius inversion formula provides a way of "inverting" the 
definition to obtain an expression for g in terms of /. Using Q for the third 
equality below and ||2J) for the last, we have, somewhat miraculously, 

J2Kd)f{n/d) = EM(rf) E 9iin/d)/d') 

d\7i d\n d'\ (n/ d) 

= E E t^{d)giin/d)/d') 

d\n d' \{n/ d) 

= EE t^(d)g{n/c) 

c\n d\c 

= EfWc)EAi(f^) 

c I n d\c 

= 9{n), 

since the inner sum on the second-to-last line is except when c is equal to 1. 

All the pieces just described come together to yield additional identities 
involving sums. In, and /i, as well as Mertens's theorem: 

EA(n)/n = lnx + 0(l). 

n<x 

These, in turn, are used to derive Selberg's elegant "symmetry formula," which 
is the central component in the proof. One formulation of the symmetry formula 
is as follows: 

^K{n)\nn+^^K{d)K{nld) = 2x\ux + 0{x). 

n<~x n<x d\n 

There are, however, many variants of this identity, involving A, ip, and 9. These 
crop up in profusion because one can always unpack definitions of the various 
functions, apply the types of combinatorial manipulations described above, and 
use identities and approximations to simplify expressions. 

What makes the Selberg symmetry formula so powerful is that there are two 
terms in the sum on the left, each sensitive to the presence of primes in different 
ways. The formula above implies there have to be some primes — to make 
left-hand side nonzero — but there can't be too many. Selberg's proof involves 
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cleverly balancing the two terms off each other, to show that in the long run, 
the density of the primes has the appropriate asymptotic behavior. 

Specifically, let R{x) = ip{x) — x denote the "error term," and note that by 
Chebyshev's equivalences the prime number theorem amounts to the assertion 
lima;^oo R{x)/x = 0. With some delicate calculation, one can use the symmetry 
formula to obtain a bound on |i?(a;)|: 

\R{x)\Wx< 2^\R{x/n)\\nn + 0{x\nx). (4) 

Now, suppose we have a bound |i?(a;)| < ax for sufficiently large x. Substituting 
this into the right side of 10} and using an approximation for X]n<x^^"'/"' 
get 

\R{x)\ <ax + 0{x/hix), 

which is not an improvement on the bound |-R(a;)| < ax with which we began. 
Selberg's method involves showing that in fact there are always enough suffi- 
ciently large intervals on which one can obtain a stronger bound on R{x), so 
that for some positive constant k, assuming we have a bound < ax that 

valid for a; > ci , we can obtain a C2 and a better bound \R{x) | < (a — ka'^ ) , valid 
for x> C2- The constant k depends on a, but the same constant also works for 
any a' < a. 

By Chebyshev's theorem, we know that there is a constant ai such that 
< aix for every x. Choosing k appropriate for ai and then setting 
a„+i — an — ka^, we have that for every n, there is a c large enough so that 
\R{x)\/x < a„ for every x > c. But it is not hard to verify that the sequence 
ai, 02, . . . approaches 0, which implies that R{x)/x approaches as x approaches 
infinity, as required. 

3.2 Our formalization 

All told, our number theory session, including the proof of the prime num- 
ber theorem and supporting libraries, constitutes 673 pages of proof scripts, or 
roughly 30,000 lines. This count includes about 65 pages of elementary number 
theory that we had at the outset, developed by Larry Paulson and others; also 
about 50 pages devoted to a proof of the law of quadratic reciprocity and prop- 
erties of Euler's function, neither of which are used in the proof of the prime 
number theorem. The page count does not include the basic HOL library, or 
properties of the real numbers that we obtained from the HOL-Complex library. 

The overview provided in the last section should provide a general sense of 
the components that are needed for the formalization. To start with, one needs 
good supporting libraries: 

• a theory of the natural numbers and integers, including properties of 
primes and divisibility, and the fundamental theorem of arithmetic 

• a library for reasoning about finite sets, sums, and products 
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• a library for the real numbers, including properties of In 

The basic Isabelle libraries provided a good starting point, though we had to 
augment these considerably as we went along. More specific supporting libraries 
include: 

• properties of the /i function, combinatorial identities, and the Mobius 
inversion formula 

• a library for asymptotic "big O" calculations 

• a number of basic identities involving sums and In 

• Chebyshev's theorems 

Finally, the specific components of the Selberg proof are: 

• the Selberg symmetry formula 

• the inequality involving R(n) 

• a long calculation to show R(n) approaches 

This general outline is clearly discernible in the list of theory files, which can 
be viewed online p . Keep in mind that the files described here have not been 
modified since the original proof was completed, and many of the proofs were 
written while various participants in the project were still learning how to use 
Isabelle. Since then, some of the basic libraries have been revised and incor- 
porated into Isabelle, but Avigad intends to revise the number theory libraries 
substantially before cleaning up the rest of the proof. 

Once the basic libraries are in place, our formal proof follows Shapiro's 
presentation quite closely, though for some parts we followed Nathanson instead. 
A detailed description of our proof would amount to little more than a step-by- 
step narrative of (one of the various paths through) Selberg's proof, with page 
correspondences in texts we followed. For example, one of our formulations of 
the Mobius inversion is as follows: 

lemma mu_inversion_natla.: "ALL n. (0 < n > 

f n = (Y, did dvd n. gin d±v d))) < (n: :nat) 

g n = (J2 d I d dvd n. of_iiit(mu(int(d))) * f (n div d) ) " 

This appears on page 64 of Shapiro's book, and on page 218 of Nathanson's 
book. We formalized a version of the fourth identity listed in Section 13.21 as 
follows: 

lemma identity_four_real_b: "(\x. ^ i=l . .natfloorCabs x) . 
In (real i) / (real i)) =o 

CAx. luCabs X + l)'-2 / 2) +o 0(\x. 1)" 

In fact, stronger assertions can be found on page 93 of Shapiro's book, and on 
page 209 of Nathanson's book. Here is one of our formulations of the Selberg 
symmetry principle: 
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lemma SelbergS: "(\x. X] ° ~ l..natfloor (abs x) + 1 . 

Lambda n * In (real n)) + (Xx. n=l . .natfloor (abs x) + 1 . 
(Y^ u / u dvd n. Lambda u * Lambda (n div u))) 
=0 (\x. 2 * (abs X + 1) * In (abs x + 1)) +o 0(\x. abs x + 1)" 

This is given on page 419 of Shapiro's book, and on page 293 of Nathanson's 
book. The error estimate given in the previous section, taken from 431 of 
Shapiro's book, takes the following form: 

lemma error?: "(Xx. abs (R (abs x + 1)) * In (abs x + 1) ~ 2) <o 
(Xx. 2 * (Y, n = 1. .natfloor (abs x) + 1. 

abs (R ((abs x + 1) / real n)) * In (real n))) =o 
0(Xx. (abs X + 1) * (1 + In (abs x + 1)))" 

We will have more to say, below, about handHng of asymptotic notation, the 
type casts, and the various occurrences of abs and +1 that make the formal 
presentation differ from ordinary mathematical notation. But aside from calling 
attention to differences like these, a more detailed outline would not be very 
interesting. 

There are additional reasons that it does not pay to describe the formal 
proofs in great detail. For one thing, they are not particularly nice: our efforts 
were designed to get us to the prime number theorem as quickly as possible, 
and so the proofs could use a good deal of cleaning and polishing. Second, and 
more to the point, we know that our formalization is not optimal. It hardly 
makes sense for us to describe exactly how we went about proving the Mobius 
inversion formula, for example, until we are convinced that we have done it 
right; that is, until we are convinced the we have made the supporting libraries 
as generally useful as possible, and configured the automated tools in such a 
way to make the formalization as smooth as possible. We therefore intend to 
invest more time in improving the various parts of the formalization and report 
on these when it is clear what we have learned from the efforts. 

In the meanwhile, we will devote the rest of this report to conveying two types 
of information. First, to help gauge the usability of the current technology, we 
will try to provide a sense of the amount of time required to seeing the project 
through to its completion. Second, we will provide some initial reflections on the 
project, and on the strengths and weaknesses of contemporary proof assistants. 
In particular, we will discuss what we take to be some of the novel aspects of the 
formalization, and indicate where we believe better automated support would 
have been especially helpful. 

3.3 The effort involved 

As we have noted in the introduction, one of the most interesting features of our 

formalization of the prime number theorem is simply its existence, which shows 
that current technology makes it possible to treat a proof of this complexity. 
The question naturally arises as to how long the formalization took. 

This is a question that it hard to answer with any precision. Avigad first 
decided to undertake the project in March of 2003, having learned how to use 
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Isabelle and proved Gauss's law of quadratic reciprocity with Gray and Adam 
Kramer the preceding summer and fall. But this was a side project for everyone 
involved, and time associated it includes time spent learning to use Isabelle, 
time spent learning the requisite number theory, and so on. Gray developed 
a substantial part of the number theory library, including basic facts about 
primes and multiplicity, the function, and the identity l(2Jl, working a few 
hours per week in the summer of 2003, before his thesis work in ethics took 
over. Donnelly and Avigad developed the library to support big O calculations 
|S] while Donnelly worked half-time during the summer of 2003, just after he 
completed his junior year at Carnegie Mellon. During that summer, and working 
part time the following year, Donnelly also derived some of the basic identities 
involving In. Raff started working on the project in the 2003-2004 academic year, 
but most of his contributions came working roughly half-time in the summer 
of 2004, just after he obtained his undergraduate degree. During that time, he 
proved Chebyshev's theorem to the effect that i^ix) — 0{x), and also did most 
of the work needed to prove the equivalence of statements of the prime number 
theorem in terms of the functions tt, 9, and ip. Though Avigad's involvement 
was more constant, he rarely put in more than a few hours per week before the 
summer of 2004, and set the project aside for long stretches of time. The bulk 
of his proof scripts were written during the summer of 2004, when he worked 
roughly half-time on the project from the middle of June to the end of August. 

Some specific benchmarks may be more informative. Proving most of the 
inversion theorems we needed, starting from Q and the relevant properties 
of /i, took Avigad about a day. (For a "day" read eight hours of dedicated 
formalization. Though he could put in work-days like that for small stretches, 
in some of the estimates below, the work was spread out over longer periods 
of time.) Proving the first version of the Selberg symmetry formula using the 
requisite identities took another day. Along the way, he was often sidetracked 
by the need to prove elementary facts about things like primes and divisibility, 
or the floor function on the real numbers. This process stabilized, however, and 
towards the end he found that he could formalize about a page of Shapiro's text 
per day. Thus, the derivation of the error estimate described above, taken from 
pages 428-431 in Shapiro's book, took about three-and-a-half days to formalize; 
and the remainder of the proof, corresponding to 432-437 in Shapiro's book, 
took about five days. 

In many cases, the increase in length is dramatic: the three-and-a-half pages 
of text associated with the proof of the error estimate translate to about 1,600 
lines, or 37 pages, of proof scripts, and the five pages of text associated with the 
final part of the proof translate to about 4,000 hues, or 89 pages, of proof scripts. 
These ratios are abnormally high, however, for reasons discussed in Section IT!^ 
The five-line derivation of the Mobius inversion formula in Section im translates 
to about 40 lines, and the proof of the form of the Selberg symmetry formula 
discussed there, carried out in about two- and- a- half pages in Shapiro's book, 
takes up about 600 lines, or 13 pages. These ratios are more typical. 

We suspect that over the coming years both the time it takes to carry out 
such formalizations, as well as the lengths of the formal proof scripts, will drop 
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significantly. Much of the effort involved in the project was spent on the follow- 
ing: 

• Defining fundamental concepts and gathering basic libraries of easy facts. 

• Proving trivial lemmas and spelling out "straightforward" inferences. 

• Finding the right lemmas and theorems to apply. 

• Entering long formulas and expressions correctly, and adapting ordinary 
mathematical notation to the formal notation in Isabelle. 

Gradually, all these requirements will be ameliorated, as better libraries, auto- 
mated tools, and interfaces are developed. On a personal note, we are entirely 
convinced that, although there is a long road ahead, formal verification of math- 
ematics will inevitably become commonplace. Getting to that point will require 
both theoretical and practical ingenuity, but we do not see any conceptual hur- 
dles.^ 

4 Thoughts on the formaUzation 

In this section, we will discuss features of the formalization that we feel are wor- 
thy of discussion, either because they represent novel and successful solutions to 
general problems, or (more commonly) because they indicate aspects of formal 
mathematical verification where better support is possible. 

4.1 Asymptotics 

One of our earliest tasks in the formalization was to develop a library to support 
the requisite calculations with big O expressions. To that end, we gave the 
expression / = 0{g) the strict reading 3C Vx (|/(a;)| < C\g{x)\), and followed 
the common practice of taking 0{g) to be the set of all functions with the 
requisite rate of growth, i.e. 

0{g)^{f\3Cyx{\f{x)\<C\g{x)\)}. 

We then read the "equality" in / = 0{g) as the element-of relation, G. 

Note that these expressions make sense for any function type for which the 
codomain is an ordered ring. Isabelle's axiomatic type classes made it possible to 
develop the library fully generally. We were able to lift operations like addition 
and multiplication to such types, defining f + g to denote the pointwise sum, 
Xx.{f{x) + g{x)). Similarly, given a set B of elements of a type that supports 
addition, we defined 

a+oB = {c\3b e B {c = a + b)}. 

•^For further speculation along these lines, see the preliminary notes 
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We also defined a =o B to be alternative input syntax for a e B. This gave 
expressions like / =o 9 +o 0{h) the intended meaning. In mathematical texts, 
convention dictates that in an expression like + 3x — +0{x), the terms are 
to be interpreted as functions of x; in Isabelle we had to use lambda notation 
to make this explicit. Thus, the expression above would be entered 

(Ax. x~2 + 3 * x) =0 (\x. x'2) +o a(\x. x) 

This should help the reader make sense of the formalizations presented in Sec- 
tion 1321 

An early version of our big O library was presented at IJCAR That 
version is nonetheless fairly close to the version used in the proof of the prime 
number theorem described here, as well as a version that is scheduled for the 
2005 release of Isabelle."* 

There is one feature of our library that seems to be less than optimal, and 
resulted in a good deal of tedium. With our definition, a statement like Ax. x + 
1 = 0{Xx. x'^) is false when the variables range over the natural numbers, since 
x'^ is equal to when x is 0. Often one wants to restrict one's attention to 
strictly positive natural numbers, or nonnegative real numbers. There are four 
ways one can do this: 

• Define new types for the strictly positive natural numbers, or nonnegative 
real numbers, and state the identities for those types. 

• Formalize the notion "/ — 0{g) on S*." 

• Formalize the notion "/ = 0{g) eventually." 

• Replace a; by x + 1 in the first case, and by |x| in the second case, to 
make the identities correct. For example, "/(|x|) = 0(|xp)" expresses 
that fix) = 0{x^) on the nonnegative reals. Various similar tinkerings 
are effective; for example, the relationship intended in the example above 
is probably best expressed as Ax. x + 1 = 0(Ax. x^ + 1). 

These various options are discussed in the IJCAR paper and all come at 
a cost. For example, the first requires annoying casts, say, between positive 
natural numbers, and natural numbers. The second requires carrying around 
a set S in every formula, and both the second and third require additional 
work when composing expressions or reasoning about sums (roughly, one has to 
make sure that the range of a function lies in the domain where an asymptotic 
estimate is valid). 

In our formalization, we chose the fourth route, which explains the numerous 
occurrences of +1 and abs in the statements in Section 13.21 This often made 

^Improvements in the more recent versions include better and more general theorems in- 
volving summations, theorems to handle composition of big O equations, and support for 
reasoning about asymptotic inequalities. Also, in the most recent version, we have dispensed 
with expressions of the form 0{S), where 5 is a set of functions. It seems that uses of these 
are easily eliminable, and having O notation for both functions and sets of functions led to 
annoying type ambiguities. 
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some of the more complex calculations painfully tedious, forcing us, for example, 

the following "helper" lemma in Selberg: 

lemma aux: "1 <= z natfloor(ahs(z - 1)) + 1 = natfloor z" 

On the general principle that formalization goes most smoothly when the for- 
malization is as close as possible to the informal text, it is probably worth 
extending the library in the ways described above. We do not have a good 
sense, however, as to how much this would have simplified our task. 

Doimelly and Avigad have designed a decision procedure for entailments 
between linear big O equations, and have obtained a prototype implementation 
(though we have not incorporated it into the Isabelle framework). This would 
eliminate the need for helper lemmas like the following: 

lemma aux5: "f + g =o h +o (k : : ' a=> ( ' b : : ordered_ring) ) =^ 

g + 1 =0 h +0 0(k) ^ f =0 1 +0 0(k)" 

We believe calculations going beyond the linear fragment would also benefit 
from a better handling of monotonicity, just as is needed to support ordinary 
calculations with inequalities, as described in the next section. 



4.2 Calculations with real numbers 

One salient feature of the Selberg proof is the amount of calculation involved. 
The dramatic increase in the length of the formalization of the final part of the 
proof (5 pages in Shapiro, compared to 89 or so in the formal version) is directly 
attributable to the need to spell out calculations involving field operations, log- 
arithms and exponentiation, the greatest and least integer functions ("ceiling" 
and "floor"), and so on. The textbook calculations themselves were complex; 
but then each textbook inference had to be expanded, by hand, to what was 
often a long sequence of entirely straightforward inferences. 

Of course, Isabelle does provide some automated support. For example, 
the simplifier employs a form of ordered rewriting for operations, like addition 
and multiplication, that are associative and commutative. This puts terms 
involving these operations into canonical normal forms, thereby making it easy 
to verify equality of terms that differ up to such rewriting. More complex 
equalities can similarly be obtained by simplifying with appropriate rewrite 
rules, such as various forms of distributivity in a ring or identities for logarithms 
and exponents. 

Much of the work in the final stages of the proof, however, involved verifying 
inequalities between expressions. Isabelle's linear arithmetic package is complete 
for reasoning about inequalities between linear expressions in the integers and 
reals, i.e. validities that depend only on the linear fragment of these theories. 
But, many of the calculations went just beyond that, at which point we were 
stuck manipulating expressions by hand and applying low-level inferences. 

As a simple example, part of one of the long proofs in PrimeNumberTheorem 
required verifying that 

^^+3(CT3)^-"<^" 
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using the following hypotheses: 



n < {K/2)x 
< C 

< £ < 1 

The conclusion is easily obtained by noting that 1 + J^^^-^ is strictly less than 
2, and so the product with n is strictly less than 2{K/2)x = Kx. But spelling 
out the details requires, for one thing, invoking the relevant monotonicity rules 
for addition, multiplication, and division. The last two, in turn, require verify- 
ing that the relevant terms are positive. Furthermore, getting the calculation 
to go through can require explicitly specifying terms like 2{K/2)x (which can 
be simplified to Kx)^ or, in other contexts, using rules like associativity or 
commutativity to manipulate terms into the the forms required by the rules. 

The file PrimeNumbcrTheorem consists of a litany of such calculations. This 
required us to have names like "mult-left-mono" "add-pos-nonneg," "order- 
le-less-trans," "exp-less-cancel-iff," "pos-divide-le-eq" at our fingertips, or to 
search for them when they were needed. Furthermore, sign calculations had 
a way of coming back to haunt us. For example, verifying an inequality like 
-\- st) < 1/(1 -f- su) might require showing that the denominators are pos- 
itive, which, in turns, might require verifying that s, t, and u are nonnegative; 
but then showing st > su may again require verifying that s is positive. Since s 
can be carried along in a chain of inequalities, such queries for sign information 
can keep coming back. Isar made it easy to break out such facts, name them, 
and reuse them as needed. But since we were usually working in a context where 
obtaining the sign information was entirely straightforward, these concerns al- 
ways felt like an annoying distraction from the interesting and truly difficult 
parts of the calculations. 

In short, inferences like the ones we have just described are commonly treated 
as "obvious" in ordinary mathematical texts, and it would be nice if mechanized 
proof assistants could recognize them as such. Decision procedures that are 
stronger than linear arithmetic are available; for example, a proof-producing 
decision procedure for real-closed fields has recently been implemented in HOL- 
light ■ But for calculations like the one above, computing sequences of partial 
derivatives, as decision procedures for the real closed fields are required to do, is 
arguably unnecessary and inefficient. Furthermore, decision procedures for real 
closed fields cannot be extended, say, to handle exponentiation and logarithms; 
and adding a generic monotone function, or trigonometric functions, or the floor 
function, renders the full theory undecidable. 

Thus, in contexts similar to ours, we expect that principled heuristic pro- 
cedures will be most effective. Roughly, one simply needs to chain backwards 
through the obvious rules in a sensible way. There are stumbling blocks, how- 
ever. For one thing, excessive case splits can lead to exponential blowup; e.g. one 
can show si > by showing that s and t are either both strictly positive or 
strictly negative. Other inferences are similarly nondeterministic: one can show 
7' + s + t>0by showing that two of the terms arc nonnegative and the third is 
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strictly positive, and one can show r + s < t + u + v + w, say, by showing r < u, 
s <t + V, and <w. 

As far as case sphts are concerned, we suspect that they are rarely needed 
to establish "obvious" facts; for example, in straightforward calculations, the 
necessary sign information is typically available. As far as the second sort of 
nondeterminism is concerned, notice that the procedures for linear arithmetic 
are effective in drawing the requisite conclusions from available hypotheses; this 
is a reflection that of the fact that the theory of the real numbers with addition 
(and, say, multiplication by rational constants) is decidable. 

The analogous theory of the reals with multiplication is also decidable. To see 
this, observe that the structure consisting of the strictly positive real numbers 
with multiplication is isomorphic to the structure of the real numbers with 
addition, and so the usual procedures for linear arithmetic carry over. More 
generally, by introducing case splits on the signs of the basic terms, one can 
reduce the multiplicative fragment of the reals to the previous case. 

In short, when the signs of the relevant terms are known, there are straight- 
forward and effective methods of deriving inequalities in the additive and mul- 
tiplicative fragments. This suggests that what is really needed is a principled 
method of amalgamating such "local" procedures, together with, say, proce- 
dures that make use of monotonicity and sign properties of logarithms and 
exponentiation. The well-known Nelson-Oppen procedure provides a method 
of amalgamating decision procedures for disjoint theories that share only the 
equality symbol in their common language; but these methods fail for theories 
that share an inequality symbol when one adds, say, rational constants to the 
language, which is necessary to render such combinations nontrivial. We be- 
lieve that there are principled ways, however, of extending the Nelson-Oppen 
framework to obtain useful heuristic procedures. This possibility is explored in 
Avigad and Friedman 

4.3 Casting between domains 

In our formalization, we found that the most natural way to establish basic 
properties of the functions 6, ijj, and tt, as well as Chebyshev's theorems, was 
to treat them as functions from the natural numbers to the reals, rather them 
as functions from the reals to the reals. Either way, however, it is clear that the 
relevant proofs have to use the embedding of the natural numbers into the reals 
in an essential way. Since the fi function takes positive and negative values, we 
were also forced to deal with integers as soon as fi came into play. In short, 
our proof of the prime number theorem inevitably involved combining reasoning 
about the natural numbers, integers, and real numbers effectively; and this, in 
turn, involved frequent casting between the various domains. 

We tended to address such needs as they arose, in an ad-hoc way. For 
example, the version of the fundamental theorem of arithmetic that we inherited 
from prior Isabelle distributions asserts that every positive natural number can 
be written uniquely as the product of an increasing list of primes. Developing 
properties of the radical function required being able to express the unique 
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factorization theorem in the more natural form that every positive number is 
the product of the primes that divide it, raised to the appropriate multiphcity; 
i.e. the fact that for every n > 0, 

p\n 

where multp{n) denotes the multiphcity of p in n. We also needed, at our 
disposal, things like the fact that n divides m if and only if for every prime 
number p, the multiplicity of p in n is less than or equal to the multiplicity of p in 
m. Thus, early on, we faced the dual tasks of translating the unique factorization 
theorem from a statement about positive natural numbers to positive integers, 
and developing a good theory of multiplicity in that setting. Later, when proving 
Chebyshev's theorems, we found that we needed to recast some of the facts about 
multiplicity to statements about natural numbers. 

We faced similar headaches when we began serious calculations involving 
natural numbers and the reals. In particular, as we proceeded we were forced 
to develop a substantial theory of the floor and ceiling functions, including a 
theory of their behavior vis-a-vis the various field operations. In calculations, 
expressions sometimes involved objects of all three types, and we often had to 
explicitly transport operations in or out of casts in order to apply a relevant 
lemma. 

When one extends a domain like the natural numbers to the integers, or 

the integers to the real numbers, some operations are simply extended. For 
example, properties of addition and multiplication of natural numbers carry all 
the way through to the reals. On the other hand, one has new operations, like 
subtraction on the integers and division in the real numbers, that arc mirrored 
imperfectly in the smaller domains. For example, subtraction on the integers 
extends truncated subtraction a; — y on the natural numbers only when x > y, 
and division in the reals extends the function x div y on the integers or natural 
numbers only when y divides x. Finally, there are facts that depend on the 
choice of a left inverse to the embedding: for example, if n is an integer, a; is a 
real number, real is the embedding of the integers into the reals, and [-J denotes 
the floor function from the reals to the integers, we have 

(n < L^^J) = {real{n) < x). 

This is an example of what mathematicians call a Galois correspondence, and 
category theorists call an adjunction, between the integers and the real numbers 
with the ordering relation. 

Our formalization of the prime number theorem involved a good deal of ma- 
nipulation of expressions, by hand, using the three types of facts just described. 
Many of these inferences should be handled automatically. After all, such issues 
are transparent in mathematical texts; we carry out the necessary inferences 
smoothly and unconsciously whenever we read an ordinary proof. The guiding 
principle should be that anything that is transparent to us can be made trans- 
parent to a mechanized proof assistant: we simply need to reflect on why we are 
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effectively able to combine domains in ordinary mathematical reasoning, and 
codify that knowledge appropriately. 

4.4 Combinatorial reasoning with sums 

As described in Section 13.21 formalizing the prime number theorem involved a 
good deal of combinatorial reasoning with sums and products. Thus, we had 
to develop some basic theorems to support such reasoning, many of which have 
since been moved into Isabelle's HOL library. These include, for example, 

lemma setsum_ca.rtesiaii_product : 

"(Y^xeA. (J2y^B. f x y)) = CX^zGjI <*> B. f (fst z) (snd z))" 

which allows one to view a double summation as a sum over a cartesian product. 
A more interesting example is 

lemma setsimi_reijidex; 

"inj_oii f B ^> C^xGf'B. h x) = f^xGB. (h o f)(x))" 

which expresses that if / is an injective function on a set B, then summing h 
over the image of B under / is the same as summing ho f over B. In particular, 
if / is a bijection from B to A, the second identity implies that summing h 
over A is the same as summing ho f over B. This type of "reindexing" is often 
so transparent in mathematical arguments that when we first came across an 
instance where we needed it (long ago, when proving quadratic reciprocity), it 
took some thought to identify the relevant principle. It is needed, for example, 
to show 

d\n d\n 

using the fact that f{d) = n/d is a bijection from the set of divisors of n to 
itself; or, for example, to show 

J2 h{d,d')^Y.^{d,c/d), 

dd'—c d\c 

using the fact that f{d) = {d,c/d) is a bijection from the set of divisors of c to 
{(d, d') I dd' = c}. The reindexing lemma is a discrete analogue of integration 
by substitution, so it is likely that methods developed to support such inferences 
will be more generally useful. 

In Isabelle, if a is any type, then a set denotes the type of all subsets of a. 
The predicate "finite" is defined inductively for these subset types. Isabelle's 
summation operator takes a subset A oi a and a function / from a to any 
type with an appropriate notion of addition, and returns J2x£A fi^)- This 
summation operator really only makes sense when A is a finite subset, so many 
identities have to be restricted accordingly. (An alternative would be to define 
a type of finite subsets of cr, with appropriate closure operations; but then work 
would be required to translate properties of arbitrary subsets to properties of 
finite subsets, or to mediate relationships between finite subsets and arbitrary 
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subsets.) This has the net effect that applying an identity involving a sum 
or product often requires one to verify that the relevant sets are finite. This 
difficulty is ameliorated by defining J2xeA /(^) *° ^® ^ when A is infinite, since 
it then turns out that a number of identities hold in the unrestricted form. But 
this fix is not universal, and so finiteness issues tend to pop up repeatedly when 
one carries out a long calculation. 

In short, at present, carrying out combinatorial calculations often requires 
a number of straightforward verifications involving reindexing and finiteness. 
Once again, these are inferences that are nearly transparent in ordinary math- 
ematical texts, and so, by our general principle, we should expect mechanized 
proof assistants to take care of them. As before, there are stumbling blocks; 
for example, when reindexing is needed, the appropriate injection / has to be 
pulled from the air. We expect, however, that in the types of inferences that 
are commonly viewed as obvious, there are natural candidates for /. So this 
is yet another domain where reflection and empirical work should allow us to 
make proof assistants more usable. 

4.5 Devising elementary proofs 

Anyone who has undertaken serious work in formal mathematical verification 
has faced the task of adapting an ordinary mathematical proof so that it can 
be carried out using the libraries and resources available. When a proof uses 
mathematical "machinery" that is unavailable, one is faced with the choice of 
expanding the background libraries to the point where one can take the orig- 
inal proof at face value, or finding workarounds, say, by replacing the original 
arguments with ones that are more elementary. The need to rewrite proofs in 
such a way can be frustrating, but the task can also be oddly enjoyable: it poses 
interesting puzzles, and enables one to better understand the relationship of the 
advanced mathematical methods to the elementary substitutes. As more power- 
ful mathematical libraries are developed, the need for elementary workarounds 
will gradually fade, and with it, alas, one good reason for investing time in such 
exercises. 

Our decision to use Selberg's proof rather than a complex-analytic one is an 
instance of this phenomenon. To this day, we do not have a sense of how long it 
would have taken to build up a complex-analysis library sufficient to formalize 
one of the more common proofs of the prime number theorem, nor how much 
easier a formal verification of the prime number theorem would have been in 
the presence of such a library. 

But similar issues arose even with respect to the mild uses of analysis re- 
quired by the Selberg proof. Isabelle's real library gave us a good theory of 
limits, series, derivatives, and the basic transcendental functions, but it had 
almost no theory of integration to speak of. Rather than develop such a theory, 
we found that we were able to work around the mild uses of integration needed 
in the Selberg proof.^ Often, we also had to search for quick patches to other 

® Since the project began, Sebastian Skalberg managed to import the more extensive anal- 
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gaps in the underlying library. For the reader's edification and entertainment, 
we describe a few such workarounds here. 

Recall that one of the fundamental identities we needed asserts 

ln(l + l/n) = + 0(1/^2). 

This follows from the fact that ln(l + x) is well approximated by x when x 
is small, which, in turn, can be seen from the Maclaurin series for ln(l + x), 
or even the fact that the derivative of ln(l + x) is equal to 1 at 0. But these 
were among the few elementary properties of transcendental functions that were 
missing from the real library. How could we work around this? 

To be more specific: Fleuriot's real library defined by the power series 
= X^J^o x^/^^-j E^'^d showed that is strictly increasing, = 1, e^"'"*' = e^e^ 
for every x and y, and the range of is exactly the set of positive reals. The 
library then defines In to be a left inverse to e^. The puzzle was to use these 
facts to show that | ln(l + x) — x\ < x^ when x is positive and small enough. 

Here is the solution we hit upon. First, note that when a; > 0, > 1 + x, 
and so, x > ln(l + x). Replacing x by x^, we also have 

e^'>l + x^. (5) 
On the other hand, the definition of can be used to show 

< 1 + a; + (6) 
when < a; < 1/2. From ^ and © we have 

2 2 

< {l+X + X^)/{l+X^) 

<l+x, 

where the last inequality is easily obtained by multiplying through. Taking 
logarithms of both sides, we have 

X — x^ < ln(l + x) < X 

when < a; < 1/2, as required. In fact, a similar calculation yields bounds on 
ln(l + x) when x is negative and close to 0. This can be used to show that the 
derivative of In a; is 1/a;; the details are left to the reader. 

For another example, consider the problem of showing that X^^il/"-^ 
converges. This follows immediately from the integral test: X^^i^/^^^ — 

ysis library from the HOL theorem prover to Isabelle. By the time that happened though, we 
had already worked around most of the applications of analysis needed for the proof. 
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= 1. How can it be obtained otherwise? Answer: simply write 

M 

1 + 1) 

71=2 

M 

l + J2{l/{n-l)-l/n) 

n=2 
1 + 1 - 1/M 

2, 

where the second equaUty rehes on the fact that the preceding expression in- 
volves a telescoping sum. Having to stop frequently to work out puzzles like 
these helped us appreciate the immense power of the Newton-Leibniz calculus, 
which provides uniform and mechanical methods for solving such problems. The 
reader may wish to consider what can be done to show that the sum l/^^" 
is convergent for general values of a > 1, or even for the special case a — 3/2. 
Fortunately, we did not need these facts. 
Now consider the identity 

1/n = lna; + 0(l). 

n<.x 

To obtain this, note that when x is positive integer we can write In X as a 
telescoping sum, 

\nx — (ln(n 4- 1) — In n) 

n<x — l 

= ^ ln(l + l/n) 

n<.x—l 

n<.x—l 'ri<.x 

= 5]l/n + 0(l). 

We learned this trick from Cornaros and Dimitracopoulos "S". In fact, a slight 
refinement of the argument shows 

^ 1/n = Inx + C + 0{l/x) 

n<x 

for some constant, C. This constant is commonly known as Euler's constant, 
denoted by 7. 

One last puzzle: how can one show that \nx/x°' approaches 0, for any a > 0? 
Here is our solution. First, note that we have Ina; < ln(l -I- a:) < a; for every 
positive X. Thus we have 

alnx = lnx° < x"", 



72=1 
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for every positive x and a. Replacing a by a/2 and dividing both sides by ax"" /2, 
we obtain lnx/a;° < 2/(aa;°/^). It is then easy to show that the right-hand-side 
approaches as x approaches infinity. 

5 Conclusions 

Our efforts show that formal verification of significant mathematical theorems 
is possible, although more work is needed before the practice is likely to become 
widespread. In an ideal situation, it would be possible to enter mathematical 
text almost exactly as it appears in a careful and precise informal presentation, 
and interactive proof systems would be able to verify inferences at that level. 
Our formalization of the prime number theorem provides a case study that 
clarifies some of the ways in which the current technology falls short of the 
ideal. 

The formal statements of theorems in Section IX^ are notably less attractice 
than their informal counterparts in Section 13.11 The difference is not merely 
cosmetic; notation is an integral part of mathematics, and it is unreasonable to 
expect the mathematical community to make notational sacrafices for mechani- 
cal convenience. Integrating formal verification into mathematical practice will 
therefore require us to take ordinary mathematical notation extremely seriously. 

The biggest obstacle at present is the gap between those inferences that 
ordinary mathematicians recognize as obvious, and those that can be verified 
automatically by conventional proof assistants. We have suggested one strategy 
for improvement, namely, to reflect on the capacities that enable us, in specific 
domains, to verify textbook inferences, and then to formalize that understand- 
ing. In particular, it seems that fairly straightforward support for reasoning 
about inequalities between real numbers and casts between integers and real 
numbers would have simplified our task substantially. 

Progress in formal verification will require a broad but focused philosoph- 
ical reflection on ordinary mathematical practice, together with robust formal 
characterizations of that practice and sound engineering. As such, the field 
represents an auspicious combination of theory and practice. 
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